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Abstract 

When there's no technical vulnerability to exploit, you should try to hack what humans 
left for you, and believe me, this always works. 

Scylla provides all the power of what a real audit, intrusion, exclusion and analysis tool 
needs, giving the possibility of scanning misconfigu ration bugs dynamically. 

Scylla aims to be a better tool for security auditors, extremely fast, designed based on 
real scenarios, developed by experienced coders and constructed with actual IT work 
methods. 

The words "Configuration Tracer" are the best definition for Scylla, a tool to help on IT 
audits. 



Introduction 

This document is a reference manual about what Scylla is, and what its capabilities are. 
This document will show the user a hypothetical scenario that shows what he/she is able 
to do when Using Scylla and basic explanation of each one of its modules and its 
features. 

Scylla is not solely meant to be an exploitation tool or a tool to discover vulnerabilities 
within applications, but rather as a method to hack and patch "human stupidity", such 
as common errors or flaws unintentionally put in service configuration. Scylla is built 
over an extremely fast and reliable core, with anti-anti Brute force techniques, error 



recovery protocols, and a lot of speedup tricks with most manual (and other types of 
attacks unknown to the user) being coded to avoid repetitive tasks. 

BTW, if you haven't read well, this is 1.0a version, and the "a" comes from "A lot of 
work to do", "A lot of bugs (I think)" and "A lot of testing left", and we will appreciate a 
lot your help ©. 

Objective 

Scylla is a tool to audit different online application protocols and configurations, built 
over a brute-force core. 

This tool acts at a tool for unifying auditing techniques, in other words, it does what 
oscanner, winfingerprint, Hydra, DirBuster, and other tools do, and also what those tools 
don't do. 
Scylla is arguably the first free-open source auditing/hacking tool for protocols such as 
LDAP, DB2, Postgres, terminal and Mssql; Scylla adds tons of new features to what 
those other tools do but with a key difference: it does them faster and smarter! 

Supported Protocols 

✓ Terminal (Telnet, SSH, telnets) 

✓ FTP (FTPS, FTP, SFTP) 

✓ SMB (Also Windows RPC) 

✓ LDAP 

✓ POP3(POP3S) 

✓ SMTP(SMTPS) 

✓ IMAP 

✓ MySql 

✓ MSSQL 

^ Oracle (Database and TNS Listener) 

✓ DB2 (Database and DAS) 

✓ HTTP(HTTPS; Basic AUTH Brute Force, Digest AUTH Brute Force, 
Form Brute Force, Directory and files Brute Force) 

^ DNS (DNS snooping) 

s Postgres SQL 

^ And more coming... 



How does Scylla work? 

Scylla functions on three basic stages: 
Pre-Hack Stage: 

This stage is defined as what information Scylla can readily obtain without 
resorting to brute-force attacks (something like enumeration). Here is where 
anti-anti-Brute Force techniques are implemented, such as getting information 
on password policies, latency times, etc. Scylla is also obtaining extra information 
to make the attack: searching for protocol and service versions, verify null 
sessions, and system enumeration among other things. It also builds specially 
crafted lists (based on other lists.) When applicable, the AutoPWN modules (such 
as a "one click" web shell upload on a MySQL attack or opening a blind shell 
using MSSQL services without any previous information). 

Brute Force Stage 

Here is where Scylla shines. It is an extremely fast brute force core. For example 
when hydra makes 7.000 tries/min, Scylla makes over 22.000 tries/min over 
MSFTPd. 

Post Hack Stage: 

What can you do with a user-password combination? Simple stuff like fetching 
the /etc/shadow file or the FEAT response of an FTP server, or more complex 
stuff such as spawning a shell with just one MSSQL command (a 
OneClickOwnage paper implementation). It is more or less like Maintaining 
Access or Expanding Influences. 

Charybdis 

Charybdis is Scylla's counterpart. He's at the other side of the river. 

What if you "pwnd" a Linux server (or even a windows server) and you can't get heavy 
tools or don't have GUI access to it (or simply, you are a *Nix user)? This is why 
Charybdis was built: To be at the other side waiting for Scylla. 

It's simply a multi-platform high speed pipe between Scylla and whatever is on the other 
side. Supporting Scylla from basic "bounce" functionality to socks proxy connection, 
Charybdis is specially crafted to provide the best performance to the attacker. 



Deep Documentation (what you should see) 



Basic features: 

s User, password list based Brute force 

V Multiple hosts support 
•/ Multiple session support 
•/ Nmap integration 

•/ Non-synchronized threads (proof to be a bit faster) 

✓ Ability to restore sessions 

s Session auto-saving (based on SQL Server CE) 

s Easy to use 

s Auto configured options 

•J Hacker oriented 

s Free, and always free 

s Database browser (who have hacked a DB and don't have a DB client to 

connect to it? And worse if you don't have internet) 

s Open source tool 

List creation 

List creation is a component to create new lists based on existing dictionaries. The idea 
is to take each word in a specific list and compose different words based on it. 

As-Is: Nothing special, just leave the dictionary just as it is. 

Double: Duplicates the word. Cut - CutCut. 

CasePerms: Creates every letter-Case permutation of the word. Cut - CuT, 
CUT, cuT, cut, CUt, etc. 

Reverse: Reverse the word. CUTeam - meaTUC. 

LowerCase: Adds the lower case version of the word. Cut - cut. 

Uppercase: Adds the upper case version of the word. Cut - CUT. 

H4x0r: Adds the word in "hackers-jargon" (replace each vocal for numbers 
except u, b for 8, t for 7, 1 for 1 and s for 5). CUTeam - CU734m. 

H4x0rPermutation: Creates every H4x0r-Case permutation of the word. 
Cuteam - Cu7eam, Cu73am, Cu7e4m, Cute4m, etc. 

Date ap/prepend: Adds the word with different years appended or pre pended 
(from 1985 to the actual year). CUT - 1985CUT, 2000CUT, CUT1990, CUT2010, 
etc. 



2Number Append: Adds the word with 2 numbers (from 00 to 99) appended. 
Cut-CutOO, Cut 01... Cut99. 



Scylla Modules 

Most of the hacks mentioned here are configurable options, and the default options are 
options that will let you "auto-pwn" or the ones considered less intrusive or the most 
important for the author. 

FTP 

Pre-Hacks: 

S If a user is blocked, gets the maximum number of tries until a user gets 

blocked (numTries) and for the next user just tries numTries passwords. 
S SFTP - Get supported ciphers 

Hack: 

Built from scratch SFTP brute force module, FTP and FTPS brute force. 

Post-Hacks: 

S Fetch FEAT response. 

•/ Fetch PWD response (actual directory). 

•/ Fetch SYST answer (Operating system information) 

s Check LIST, STOR, MKD, DELE and RMD permissions (list, upload, make 

directory, delete file and remove directory). 
S Basic Directory Transversal hacks 

o /../../../../../../etc/shadow 

o \..\..\..\..\..\..\config.sys 



Terminal 
Pre-Hacks: 

s If a user is blocked, gets the maximum number of tries until a user gets 
blocked (numTries) and for the next user just tries numTries passwords. 

s Process "connection limit" answers and wait 20 milliseconds until next try. 

S Process MSTelnetd when user+password are correct but the user isn't in the 
TelnetClients group. 

s SSH2 - Get and Set supported ciphers 



Hack: 



Built from scratch SSH brute force module, implemented as fast as possible in 
the login process (C++), Telnet, Telnets. 

More servers supported (this makes it a bit slower...). 

Post-Hacks: 

S Fetch CD response. 

S Fetch SUDO capabilities response. 

s Neat (or putty) integration 

s Fetch /etc/shadow and /etc/passwd 

POP3 

Pre-Hacks: 

S Verify authentication types supported by server 

S Verify if APOP authentication is available (and use it if so) 

Hack: 

POP3, POP3S, Auth-login, Auth-plan Auth-md5 

Post-Hacks: 

•/ Retrieve first 10 e-mail headers 

S Get number of messages in the account 

s Get e-mail addresses used in mails received 

SMTP 

Pre-Hacks: 

S VRFY brute force pre-attack (tries to get only valid users) 
S Anonymous login 

S Verify authentication types supported by server 

Hack: 

SMTP, SMTPS, Auth-login, Auth-plan Auth-md5 
Post-Hacks: 

S Try sending a mail to root 



S Mail relay (tries to send from [attacker@cuteam.org and attacker© 
specified_IP_or_URL] to [Your_mail@any_domain.com and 
pick_a_mail@specified_IP_or_URL]) 

MSSQL: 

MSSQL has 2 modalities: FastAttack (really fast, raw brute force) and Normal 
(Using SQLCIient). The difference is that SQLCIient is safer, it has a better error 
management and has more pre-hacks making it a bit more intelligent; use it to 
avoid blocking accounts or stuff like that. Also, most post-hacks use SQLCIient. If 
a hack is available only for SQLCIient it would be marked as SC. 

Pre-Hacks: 

S SC: If a password must be changed it prompts a dialog for you to change it if 
you want. 

s SC: If max users connection limit reached, wait 100 ms until next try (with 
the same thread). 

S SC: If User+Password found but there is an error. Marks the user+password 

as found and displays the error. 
s SC: If user is blocked, tries for next user. 
s SC: Test for SSPI (actual Windows user authentication) 
y SC: Specify System version type (SQLServer 2k, 2k5, 2k8 or lastest) 
S SC: Specify Local Machine Name 
S SC: Specify database to connect 
s Try SA user with null password 



SQLCIient and raw brute force. SSL Support. 
Post-Hacks: 



s Open UI for command execution. Opens a basic GUI to execute commands. 
Saves the command log in the Report Database (see report section). If don't 
have enough permissions to execute commands, it tries to hack it using: 
sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; 
RECONFIGURE 

S One click ownage hack. Execute any payload you define (default is TX shell), 

just as specified in http://ferruh.mavituna.com/papers/oneclickownage.pdf. 
s Show Databases the user can access 

S Fetch Users Info, including: Usernames, SID, Password Hash, Creation date, 

is disabled and default database name. 
s Open Scylla DB Browser 



MySQL (MySQUAL in honor to SENA, Colombia xD) 



This module uses MySQL.Data.dll or ODBC (no support available) to connect to the 
remote host. A "raw" and faster version will be also implemented with limited pre-hacks. 

Pre-Hacks: 



S If max users connection limit reached, wait 100 ms until next try (with the 
same thread). 

S If received message "password to long must be hex", just try the passwords 

that meet: passLen LESSOREQUALTHAN #password(length received in the 

error) AND ! password. haveDig its 
S Just try passwords of less than 16 characters (mysql don't support more) 
S If want to use SSL certificates or a special SSL cipher connection, it would 

use ODBC with the specified options. Also, an auto-signed certificate is 

provided. 

Hacks: 

SSL support, specially crafted SSL configuration, certificate based SSL 
Post-Hacks: 

s Fetch databases that can be accessed by the user. 

S Fetch users profile, including: Host, User name, Password hash, Select_priv, 

Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, 

Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, 

Index_priv, Alter_priv. 
S If there is a http server, try to upload a web based PHP shell to it (A specially 

basic auto-destroyable shell, or the famous C99). 
S Execute server commands (via UDF) 
s Open Scylla DB Browser 

DB2 

Pre-Hacks: 

^ Obtain DAS information (server database access profile) 
S - User-ID auth only - brute force 

S Fetch EXCSAT and other packet responses (used to Auto Configure the Hack 

phase and give additional info to the user). 
S Host less than 18 characters accepted 



Hack: 



SSL support (if applicable), encrypted auth. 
Post-Hacks: 

V List all tables (list tables for all) 

V List tables for specific users (select name, creator from systables order by name) 
s Security policies check (select * from syssecuritypolicies) 

s Audit policies check (select * from sysauditpolicies) 
S Fetch Roles and Role authorizations 

•/ Fetch for users authorizations (select grantee, tableschema, tablename from 
sysuserauth) 

V Fetch users and users privileges 



ORACLE 



This module uses Ora.Net provider for database connection. TNSListener module 
is built as a partner of Oracle module. 



y Fetch SID 

•/ SID Brute force 

s TNS version detection 

s Allow the user to specify a SID (obligatory if no SID could be fetched or 

guessed, if no, Scylla would use ORCL) 

s Try to use over 500 default users-passwords before the real brute force 

•/ Fetch Blocked accounts 



If user must connect as SYSOPER or SYSDBA, tell the user and append SYSDBA 
to the connection string for post-hacks. 



Post-Hacks: 

V Fetch usernames and user information 
s Fetch users access dates 

•/ Fetch new and old password hashes 

V Fetch database names the user can see 
•J Fetch Policies 

•J Fetch Roles and Role information 

V Fetch Links (useful to find clear-text passwords and other interesting info) 
■s Open Scylla DB Browser 

SMB 

The trick here is using the windows API that is actually faster than SAMBA. This module 
is not just about SMB, but windows RPC. 



Pre-Hacks: 



•/ Try for null or anonymous sessions. 

•J Try to fetch password policy and adjust the hack phase settings to avoid 

blocking users and stuff like that. 
s If operating system just accepts LM authentication, remove all password 

of length greater than 14 from the password list. 



NT, LM, NTLMv2, all what WNetAddConnection3 supports 

Post-Hacks: 

•/ fgDump wrapper (get password hashes) 
s Fetch Users 

^ Fetch groups (relation user-groups relation) 
s Fetch OS Version 

✓ Fetch RPC Binds 

•J Fetch network Adapters 
•J Fetch Disks and shares 
•J Fetch active sessions 

V Fetch Event log 

s System Date and Time 
s Fetch patch level 
•/ Via Active directory: 

• GetShares (directories) 

• GetGroups 

• Get Operating system version 

• Get Users 



This module is a bit different; it is divided into three sub-modules: 

HTTP-Basic Auth: Where the only real pre-hack is to fetch the authentication 
type supported in basic-auth module (and auto-configure brute force hack 
depending in it). It supports Digest (using MD5) and basic auth. 

HTTP-Form: This is like other brute-forcers but it is a bit more intuitive. For the 
next release (hope for this one) a new Charybdis module will be built to auto- 
configure brute force parameters depending on user navigation. 



HTTP-Dir/File Brute Force: Tries to find hidden directories/files based on 
brute force. Also, this module maps the entire webpage to find its entire 
structure, based on HEAD commands for brute force and GET for web mapping. 
The 3xx response, searches in the location parameter. A bit of an intelligent 
modification, it doesn't show the user an apparently found file (from web 
mapping) if it doesn't receive a 200 or 403 response. It cuts down on the 
number of false positives and, like every Scylla module, "error proof". 



Postgres 

This module uses NPgsql.dll. 
Pre-Hacks: 

Try admin-admin user-password combination 

Hacks: 

SSL support, crypt, password, md5 and others supported by NPgsql.dll 
Post-Hacks: 

s Fetch databases that can be accessed by the user. 

s Fetch user's profile (pg_shadow, pg_user, pg_group, etc.) 

s Open Scylla DB Browser 



LDAP 

Ldap Query tool 

Pre-Hacks: 

Try null password 
Try Anonymous Auth 

Hacks: 

SSL support 
Post-Hacks: 



S Fetch Users info 

S Fetch Groups 

S Fetch Computer info 



DNS Snooping 



Pre-Hacks: 



Hacks: 



s Try to see if the server is vulnerable by querying the server for common 
names 



SSL support 



S Fetch Answers 

s Fetch Name Servers 

S Fetch Additional info 

s Determine if it's an authoritative server 



Report Module 



Every result the modules throw are stored in a SQLCE database, so your session information 
won't get lost. A report viewer was built so you can see the information easily. 



Scylla Report Viewer 




THE FUTURE 



This took eight months of work, just for DEF CON 20. Now try to imagine the future of this tool. 
We will work, primarily to try to make it faster and more accurate. There are other modules 
planed like SVN, CVS, RSH, RDP, and more. And at last we will be adding hacks, tons of hacks, 
we'll try to make it a more complete tool of this kind. 

There are also plans to synchronize Scylla with other tools like MSF and Nessus. 

Our principal objective is to give as most capabilities to the users, and still be a "hacker- 
oriented" tool. We are conscious that there is no "wonder tool for everything" and that real 
hacking is more of a manual process, and that all we need is information, and possibly 
direction. 



CONCLUSION 

Perhaps I'm not the best qualified person to be writing something here, you have the 
documentation and you can try this tool, so you can make your own conclusions. There is one 
last thing to be said: I'm not intending to say that other tools are "worse" (they might be better 
than Scylla) just that maybe I got more free time. Every referenced tool here is a master piece 
(If you have got some time you should please check them out.), I thank the authors for 
building them and give people like me tools to work, and even better, Inspiration! 

You could be sure of something... There is more coming soon! 



More pics :D 



Scylla -- 101% Colombiano 



■H'SCYLLA 



® Sngle Host O Host List 

|Somnusaj7! 

Passwd O WoidList O Advanced WoidList 



□ WondList Usuhb 
Protocol MS SQL vl 



• :.n = . ii.z ]:_: e it -.-:. .= : e:_ ■:; _-e 

□ Use Encryption {SSL) 

□ Test for SSPI {Windows user authentication) 
T :-. 3>«*r 

C) SQ LServer 2000 O SQ LServer 2005 

O SQLServer 2005 (■) Latest 

□ Specify Local Machine Name localhost 
Specif; I = .=E = :e =■ e !=.= :: 

□ Open Ul for command execution 



Scylla Database Browser - master 



I.~1mJ_*J 



File Query 
► % 



sstje seS;_rc- 
,;,| spt_fallback_dev 
, ,| spt_fallback_usg 



| MSreplicationjptiona 



Scylla DBBrowser over MSSQL 



Scylla -- 101% Colombiano 



**SCYLLA 



Attack Type 

Normal (using SQLdient) Q Fast Attack (M 



l~l Use Encryption (SSL) 




ListOptions 

@ As Is (Exactly like in the list) □ Double (Cut-CutCut) □ Case Perm {Cut-CUt,cUt.cUT.cut,CUT) 

□ Reverse {Cuteam - maetuC) □ LowefCase pi-cut) □ UpperCase (Cut-CUT) 

□ H4c0r pjteam-Qj734m) □ H4cDr PefmutaiionpjteamCu7eam.Qj734rTi.Cute4rTi....) 

□ Date [ap/pre>pend (Cut-2DDDCut. Cut 15&7....} □ 2Number .Append (Cut-Cut D1 Cut99) 



Advanced List Options 
■ 



Report VIEWER 




Root: 257 "/" is current directory 

FEAT Response; 2 1 1 -Extended features 
supported: 
LANG EN* 
UTF8 

AUTH TLE:TLE- 
CiSSLTLS-P: 
PBS2 
PROTCP; 

SYST Response: 215 Windows_NT 



Write 

Hake Dir Delete Dir 



FTP Report Module 



■k- Scyl la -- 101% Colombia 

**SCYLLA 



L ::a2< 2z-~ :va: :- 
Host /IP 



[rageguy 
* Single Host Host List 

I I 

<§) Passwd O WordUst O Adverted WorclList 



User sa 

□ WofdList Usuers 



|M55QL v\ Nmap 



Found user: sa Password: I 



□ Show Enors Threads: | About | | Report 

| Start | tries/Sec: {0)0- Left: 



Scylla main GUI 
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Attack juration 

Host /IP [rageguy 



® Sine*: Host O Host Ust 



Attack Type 

® Normalising SQLaient) O FastAttack <Medussa-Uke) 

□ Use Encryption {SSL) 
I I Test for SSPI (Windows user authentication) 
I I Type System Version 

O SQLServer 2000 O SQ LServer 20D5 



® Passwd O Word Ust Q Advanced Word Ust 



□ WoidList Usuers 

I MSSQL vl 



I I Specify Local Machine Name localhost 
I I Specify DataBase Name (Catalog) master 

□ Open Ul for command execution 

□ Show Databases □ Fetch users info @ DB En:^;er 



Port [1433 □ Add SA User Threads |16 \^\ 
I I Add users to pass Ust Q Add blank and null password 



D Show Errors 
| Start | tries/Sec: 



Threads: | About | | Report | 



MSSQL Advanced options 
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**SCY 

.kiaoK "infiguration 
Host/IP rageguy 

® Single Hos 




Run Nmap 

I I Not-installed Nmap 

® SynScan O TCP Scann □ UDP □ OS Port Range 
Host | | Start ^nif End ^M[g 


C:s~" parameter; :s: ifcs eni : : c :-e a -:>'. ;;-a:- : s: 


® Passwd O WordUst 


Start | 


User |sa 

□ WordUst U 


Load map ami file instead 
[I | | Search | | Upload | 


Nmap Ruh 


Protocol MSSQL 











□ Show Errors Threads: About Fteport 



Nmap Wrapper 



**SCYLLA 



Scylla -- 101% Colombiano 
Attack Tjpe 



E-:e:_:-: commands with us 
-<:■■■:'<■ CjWS to resume 
I whoami 
nt authority\system 



~ : e : ' 



* Normal (using SQLCIient} [ : Fast Attack (Medussa-Like) 

□ Use Encryption (SSL) 

: : = _:e c.."t". :r_ : - 

item Version 

H) O SQLServer 2005 
IS ••: Latest 
:oa i.'achine Name localhost 
■eicEcse L .e- e £«* :i 
for command execution 
>e : :■• ■ ■ -5 : t-t- c- -t-"." 

icc-eses -e:::- users info O DB Browser 



rj|J □ Add SA User Threads 16 ; 



□ Show Errors Threads: 1 .About Report 

| Stop! | tries/Sec: (0)0- Left: 2 



FSH over MSSQL 



